Design flaws in the Wi-Fi Protected Setup (WPS) standard used by most modern routers could make it easier to retrieve a wireless network's password through brute force and leave it open to attack. The issue was first brought to light by security researcher Stefan Viehböck and has since prompted a vulnerability notice from the U.S. Computer Emergency Readiness Team (CERT).

The WPS standard was created in 2007 by the Wi-Fi Alliance in order to provide non-technical users with simpler methods of setting up secure wireless networks. One of these methods uses a predefined eight-digit PIN number printed on a sticker by the router manufacturer. The problem, according to Viehböck, is that entering the wrong PIN returns information that could be useful to a hacker.

Ideally an eight-digit PIN code would produce 100,000,000 possible combinations, enough to keep an attacker busy for a few years if attempting a brute force break-in. But the protocol used by Wi-Fi Protected Setup responds to failed authentication attempts by indicating if the first or second halves of the PIN number are correct, significantly reducing the possible combinations. Plus, the last digit is actually the checksum of the other seven. That means an attacker only has to try 11,000 different combinations to find the right PIN.

In his tests, Viehböck found that an authentication attempt takes between 0.5 and 3 seconds and the majority of routers don't implement lock-down periods after several consecutive failed WPS authentication attempts. Only one router from Netgear slowed its responses to failed authentication attempts in order to mitigate against the attack, but that only extended the attack time to a day or so — otherwise it can take 2-4 hours.

Devices from Buffalo, D-Link, Linksys, Netgear and others are affected. Presummably, the flaw can be addressed with a simple software fix, but until then the US-Cert is recommending users switch off WPS.Source